Network policy logs

Hi,
I have a “- action: Log” in one of my Calico policies but not sure where to look for generated logs. The only thing the doc says is that it is logged to syslog without any other info. What do the logs look like and what should I look for? I’ve used journalctl but not sure what to look for. Any hepl is appreciated. Thanks!

Syslog is a standard linux logging system. Its not possible to give prescriptive advice on where to find the logs because it depends what Linux distro you’re using and how its configured.

Here’s an overview: Syslog - Definition and Details

However, most linux distros by default have a syslog server listening on localhost that writes to /var/log/syslog or /var/log/messages

Thanks, the question wasn’t where to find the sys logs, it was what to look for in the logs. In other words, what are some identifiers of a message logged by Calico? There are thousands of messages logged by various and simply reading them line by line isn’t practical.

Here’s an example (from simply tailing syslog while curling from pod-pod):

Jul  5 13:51:12 lance-bz-68eq-kadm-node-0 kernel: [ 1327.977274] calico-packet: IN=tunl0 OUT=calia3106152bb4 MAC= SRC=192.168.80.66 DST=192.168.15.66 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=15477 DF PROTO=TCP SPT=54048 DPT=80 WINDOW=64400 RES=0x00 SYN URGP=0 
Jul  5 13:51:32 lance-bz-68eq-kadm-node-0 kernel: [ 1347.669812] calico-packet: IN=tunl0 OUT=calia3106152bb4 MAC= SRC=192.168.80.66 DST=192.168.15.66 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=43060 DF PROTO=TCP SPT=54058 DPT=80 WINDOW=64400 RES=0x00 SYN URGP=0 
Jul  5 13:51:32 lance-bz-68eq-kadm-node-0 kernel: [ 1348.250980] calico-packet: IN=tunl0 OUT=calia3106152bb4 MAC= SRC=192.168.80.66 DST=192.168.15.66 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=14531 DF PROTO=TCP SPT=54060 DPT=80 WINDOW=64400 RES=0x00 SYN URGP=0 
Jul  5 13:51:33 lance-bz-68eq-kadm-node-0 kernel: [ 1348.698570] calico-packet: IN=tunl0 OUT=calia3106152bb4 MAC= SRC=192.168.80.66 DST=192.168.15.66 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=26248 DF PROTO=TCP SPT=54062 DPT=80 WINDOW=64400 RES=0x00 SYN URGP=0 

@lwr20, Thank you very much!

Hi,

I am able to view these logs successfully.
I was wondering if there is a way to view dropped packets through these logs - say the packets denied using “action: Deny”.

And just for clarity’s sake, what exactly does the log action send to the logs?

Thanks!

I was wondering if there is a way to view dropped packets through these logs - say the packets denied using “action: Deny”.
Not exactly, you could add a Log action to every Deny rule though.

FWIW, Calico Enterprise allows this sort of visibility into packets, and has a nice WebUI showing packet flows throughout your cluster.

And just for clarity’s sake, what exactly does the log action send to the logs?
To syslog. Where that goes depends on the configuration of the syslog daemon on your machine.